The present invention relates computer systems, and more particularly to systems, methods and software for detecting, preventing, responding to and/or otherwise dealing with online fraud.
Electronic mail (“email”) has become a staple of modern communications. Unfortunately, however, anyone who uses email on a regular basis is familiar with the vast quantities of “spam” (unsolicited email) sent to nearly every email addressee from various advertisers. Although somewhat analogous to traditional paper “junk mail,” spam is unique in that, for virtually no cost, a purveyor of spam (“spammer”) can easily and quickly generate and transmit copious amounts of spam. Further, limitations in the Internet-standard simple mail transport protocol (“SMTP”) allow spammers to transmit spam with relative anonymity and, therefore, with correspondingly little accountability. Consequently, even though spam annoys the vast majority of recipients and, thus, generates few successful sales opportunities for the spammer relative to the amount of spam transmitted, the spam “industry” is burgeoning: Given their ability to inexpensively and quickly transmit enormous quantities of spam, spammers can make a handsome profit even from the relatively low response rate to the spam advertising.
By their nature, spammers continually search for new recipients (victims) to which to send spam. The spam “industry,” therefore has launched a derivative industry of “harvesters,” who scour the Internet and other sources to generate lists of valid email addresses, which they then sell to the spammers. (Obviously, since these activities go hand-in-hand, many spammers act as harvesters for themselves or their fellow spammers). Harvesters use a variety of techniques for obtaining email address lists, and often develop automated search programs (commonly referred to as “robots” or “webcrawlers”) that continually skulk about the Internet searching for new email addresses. For example, harvesters obtain email addresses from Internet (and other) news groups, chat rooms, and directory service (e.g., white pages) sites, as well as message boards, mailing lists, and web pages, on which users commonly provide email addresses for feedback, etc.
The success of spam as a marketing technique has begun to result in the use of spam to perpetrate “phishing” operations. A phishing operation can be defined as any type of social engineering attack (typically relying the illegitimate use of a brand name) to induce a consumer to take an action that he/she otherwise would not take. Phishing scams can operate by bribery, flattery, deceit, cajoling and through other methods. Phishing operations often involve mass contact of consumers (for example, by “spam” email messages, text messages, VoIP calls, instant messages, etc. as well as through other devices) and generally direct contacted consumers to a response site, which often is a web site but can also be a telephone number, etc.
One fairly common example of a phishing scam is a spam email message advertising a well-known software application or package (which in fact was pirated or otherwise obtained illegitimately) at a greatly reduced price, and directing respondents to a web site where the software can be purchased. Upon visiting the site, consumers would (or should) know that the advertised price is grossly unrealistic and probably indicates some time of illegitimacy, such as black- or gray-market goods. Some consumers, however, either out of ignorance or willful blindness, will accept the phisher's assurances that the software is legitimate and therefore will purchase the illegitimate software, completing the phishing scam.
Another common phishing operation is known as a “spoofing” scam. This practice involves inserting a false email address in the “From” or “Reply-to” headers of an email message, thereby misleading the recipient into believing that the email originated from a relatively trusted source. Spoofed emails often appear to be from well-known Internet service providers (“ISPs”) (such as, for example, America Online™ and The Microsoft Network™), or other high-profile entities with easily-identifiable email addresses (including, for example IBM™, Microsoft™, General Motors™ and E-Bay™, as well as various financial institutions, online retailers and the like). This spoofing is unacceptable to these entities for many reasons, not the least because it causes customer confusion, destroys the value of a well-cultivated online presence, creates general mistrust of the spoofed brands and largely dilutes the value of a reputable entity's online communications and transactions.
Further, in many cases, spammers and/or spoofers have developed avenues of disseminating information amongst their “industry,” including a variety of online for a such as message boards, chat rooms, newsgroups, and the like. At such locations, spammers often discuss strategies for more effective spamming/spoofing, new spoof sites, etc., as well as trade and/or advertise lists of harvested addresses. By using these resources, spammers and/or spoofers can focus on the most effective spamming/spoofing techniques, learn from and/or copy the spoofed web sites of others, and the like. Such resources also allow a new spammer or spoofer to quickly pick up effective spamming and/or spoofing techniques.
Perhaps most alarmingly, spam (and spoofed spam in particular) has increasingly been used to promote fraudulent activity such as phishing attacks, including identity theft, unauthorized credit card transactions and/or account withdrawals, and the like. This technique involves masquerading as a trusted business in order to induce an unsuspecting consumer to provide confidential personal information, often in response to a purported request to update account information, confirm an online transaction, etc. Merely by way of example, a spoofer may send a spoof email purporting to be from the recipient's bank and requesting (ironically) that the recipient “confirm” her identity by providing confidential information by reply email or by logging on to a fraudulent web site. Similarly, a common spoofed message requests that the recipient log on to a well-known e-commerce site and “update” credit card information stored by that site.
Spam messages (and in particular those that are part of a phishing scheme) often include a uniform resource locator (“URL”) linking to the web site of the phisher. The web site may, for example, be a response point for the sale of illegitimate goods. In other cases, the URL may be configured to appear to be associated with the web site of a spoofed sender, but may actually redirects the recipient to a spoofed web site (i.e., a web site that imitates or is designed to look like the web site of the spoofed source of the email). Upon visiting the spoofed web site, the recipient may be presented with a form that requests information such as the recipient's address, phone number, social security number, bank account number, credit card number, mother's maiden name, etc. The recipient, believing that she is communicating with a trusted company, may provide some or all of this information, which then is at the spammer's disposal to use for any of a variety of illegitimate purposes. (In some cases, the link may be configured to present a legitimate web site, with an illegitimate and/or spoofed popup window presented over the legitimate web site with instructions to provide personal information, etc., which will be collected by the phisher)
Thus, phishing scams and other illegitimate online activities have flourished. While such activity is indisputably both illegal and immoral, the relative anonymity of the phishers, as well as the international nature of the Internet, hinders effective legal prosecution for these activities. Merely by way of example, the server associated with a fraudulent web site may be located in a country from which prosecution/extradition is highly unlikely. Moreover, these fraudulent web sites are often highly transient, existing on a given server or ISP for a short time (perhaps only a matter of days or even hours) before the phisher moves on to a new server or ISP. Compounding the enforcement problem is the fact that many of the servers hosting fraudulent web sites are legitimate servers that have been compromised (or “hacked”) by the phisher or his associates, with the owner/operator of the server having no idea that the server is secretly being used for illegitimate purposes.
Accordingly, there is a need for efficient solutions to deal with these abuses.